Block all but accepted traffic in site-to-site openvpn


I have configure a site to site vpn between home and office.
I would like only some devices at home to be accessible from office, however it seem to ignore all firewall rules I set.
Here is an image of my settings in zones:

home_jens is the interface for my vpn, and I want to prevent any traffic from this vpn that I have not explicitly allowed using a firewall rule. Input and Forward are set to reject and I did hit save and apply.

I also have a custom rule like this:
iptables -t nat -A POSTROUTING -o home_jens -j ACCEPT

It is to make sure that traffic is not NATed, since I want both sides to be able to reach eachothers ip ranges. I tried commenting this out and restarted firewall but nothing changes.

So all devices at office can still reach all devices at home.

Looking at traffic rules I only opened up for traffic from WAN. Same with port forwards, opened some ports but only for wan.

Anywhere else I can check? Is it something I forgot? Seem like OpenVPN bypassess all my firewall rules

Delete the forwarding from home_jens to lan.

1 Like

Thanks @krazeh totally makes sense and works as I would like it to

Kind regards

There's no need, unless you explicitly enable masquerading for the VPN zone.

Oh @vgaetera I thought I had to

I have a couple of ipsec vpns and there I need to do this. If not it masquarades the ip and nothing works.

Is Openvpn and strongswan different i respect to masquarading?

Kind regards

If you assign the VPN interface to the WAN firewall zone, then it will use masquerading.
Otherwise, this should be reported as a bug, since the VPN service should not alter runtime firewall configuration without explicit consent.

@vgaetera I agree it is odd

Regarding the strongswan VPNs I have scratched my head regarding why it masquerades the IP addresses even though I did not set the particular interface to masquraded... But this seems to basic so that I would assume there must be something with my configuration that make the interfaces masquaraded...

You can inspect the runtime configuration:

iptables-save | grep -e MASQUERADE -e SNAT